基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.67
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-07 14:20 JST
Nmap scan report for 10.10.11.67
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey:
|   256 5c:02:33:95:ef:44:e2:80:cd:3a:96:02:23:f1:92:64 (ECDSA)
|_  256 1f:3d:c2:19:55:28:a1:77:59:51:48:10:c4:4b:74:ab (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Did not follow redirect to http://environment.htb
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.89 seconds

80

需要加hosts:

1
10.10.11.67 environment.htb

环保相关的:

目录扫描

目录扫描发现login,mailing之类:

1
2
3
4
5
6
7
8
9
10
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://environment.htb/

/build                (Status: 301) [Size: 169] [--> http://environment.htb/build/]
/favicon.ico          (Status: 200) [Size: 0]
/index.php            (Status: 200) [Size: 4602]
/login                (Status: 200) [Size: 2391]
/logout               (Status: 302) [Size: 358] [--> http://environment.htb/login]
/mailing              (Status: 405) [Size: 244854]
/robots.txt           (Status: 200) [Size: 24]
/storage              (Status: 301) [Size: 169] [--> http://environment.htb/storage/]

mailing

直接访问mailing是Laravel报错调试信息:

login

需要认证信息:

login

login请求尝试删除值,当把remember清空时,也能得到报错调试信息:

并且报错信息中得到一些环境信息:

CVE-2024-52301

根据环境变量以及版本,搜索到相关漏洞:

登录绕过

登录时添加环境变量参数,绕过登录,重定向到management(每一步都拦截修改,不能跳过初始登录这一步):

management

management也同样添加环境变量参数,看到一个php info选项:

info

info也同样添加环境变量参数访问,得到APP_KEY:

1
base64:BRhzmLIuAh9UG8xXCPuv0nU799gvdh49VjFDvETwY6k=

profile

profile处可以上传头像:

webshell to www-data

测试上传,发现存在检测,常规GIF89a可以绕过第一层内容检测:

之后是后缀名,测试会发现系统删除文件名最后一个点:

根据以上绕过方式,获得webshell,进一步获得reverse shell:

gpg

简单枚举可以发现hish用户的gpg相关目录全局可读,并且有一个gpg加密的文件:

因为解密会写入一些临时文件,我们对原有的gnupg没有写权限,所以复制一份出来,然后用于解密即可:

1
2
3
4
5
6
cp -r /home/hish/.gnupg .
gpg --homedir /tmp/miao/.gnupg  --decrypt /home/hish/backup/keyvault.gpg  > keyvault

PAYPAL.COM -> Ihaves0meMon$yhere123
ENVIRONMENT.HTB -> marineSPm@ster!!
FACEBOOK.COM -> summerSunnyB3ACH!!

user flag

hish使用得到的ENVIRONMENT.HTB密码登录:

提权信息

这一步很明显,sudo运行systeminfo,但设置了env_keep+=”ENV BASH_ENV”,很常规的环境变量劫持

提权 & root flag

环境变量劫持执行任意命令:

shadow

1
2
root:$y$j9T$ri4ncGGOHy2ucyMf0/wae1$qfFOfsAj1qUCeQyGnjCYhdLQ9XqcCOBscht51lZEei1:20094:0:99999:7:::
hish:$y$j9T$4I1ToSPTrzuz2EoDweHsP/$7rS9lhc9.n/Hrx4r.bJ9KsKIpOaPDV0mj4pgLV2PF/7:20094:0:99999:7:::

参考资料